NIST SP 800-63 (Digital Identity Guidelines) — IAL, AAL, FAL Levels

NIST Special Publication 800-63-3 (2017), with SP 800-63-4 in final public draft as of 2024, provides the U.S. federal government's digital identity framework, widely adopted in regulated industries including healthcare (HIPAA), financial services, and state government systems. The suite comprises four volumes: SP 800-63 (overview and definitions), SP 800-63A (Identity Assurance Levels, IAL), SP 800-63B (Authenticator Assurance Levels, AAL), and SP 800-63C (Federation Assurance Levels, FAL). The three assurance scales are independently evaluated: a system can require IAL2 (remote identity proofing), AAL3 (phishing-resistant hardware authenticator), and FAL1 (signed assertions without encryption) depending on its risk profile — they are not bundled.

Identity Assurance Level (IAL) addresses identity proofing — verifying that a claimed identity corresponds to a real, unique individual. IAL1 requires no identity proofing. IAL2 requires either in-person or supervised remote proofing with document verification against authoritative sources (driving license, passport via NFC chip or biometric comparison). IAL3 requires in-person proofing by a trained operator with physical examination of identity documents. Authenticator Assurance Level (AAL) addresses authentication strength. AAL1 permits single-factor authentication. AAL2 requires two-factor authentication with at least one phishing-resistant factor or a hardware OTP device. AAL3 requires a phishing-resistant hardware cryptographic authenticator (FIDO2/WebAuthn hardware token) and a verifier impersonation-resistant channel — meaning the authenticator must cryptographically bind to the verifier, not merely present a code.

Federation Assurance Level (FAL) addresses the strength of assertions in federated identity scenarios (OAuth, OIDC, SAML). FAL1 requires bearer assertions signed by the IdP. FAL2 requires holder-of-key assertions — the relying party must present proof of possession of a key referenced in the assertion, preventing assertion theft. FAL3 requires holder-of-key with the subscriber authenticating to the RP using the same hardware token used during IdP authentication — tying federation to a specific phishing-resistant authenticator. SP 800-63-4 draft introduces significant changes: deprecation of SMS OTP as an acceptable AAL2 factor, removal of knowledge-based authentication (KBA) for identity proofing at IAL2, and new requirements for passkey (discoverable FIDO2 credential) support as an AAL2/AAL3 pathway.

We conduct NIST 800-63 assurance level assessments by mapping system transaction risk levels to appropriate IAL/AAL/FAL requirements, then implement identity proofing pipelines with document verification APIs (Jumio, Onfido, IDEMIA) for IAL2, FIDO2/WebAuthn hardware token authentication for AAL3, and holder-of-key federation patterns for FAL2/FAL3. We track SP 800-63-4 draft changes to plan SMS OTP deprecation timelines.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.